Attackers’ new way to outsmart traditional defenses is by weaponizing legitimate software

A dark figure in a hoodie representing a hacker.
(Image credit: Shutterstock)

As businesses navigate the digital landscape, the threat of ransomware is rising. Every day brings innovative techniques for cyber criminals to perform more advanced and complex attacks. So, it has become quite clear that traditional defense strategies are no longer sufficient to effectively safeguard the business, improve identity security and combat attackers’ evolving tactics. In fact, 66% of companies were affected by ransomware in 2023, and this number is only expected to increase.

Ransomware is no longer just about creating sophisticated malicious software to infect people’s computers – cyberattackers have now started using and exploiting organizations' legitimate software to conduct malicious activities and steal people’s identity without creating their own custom malware.

Cybercriminals capitalize on vulnerabilities in Open Source Software (OSS), seamlessly integrating their malicious elements into OSS framework. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently warned that this trend is only getting more common, highlighting instances like the Lockbit operation. This is an example of cyber attackers using legitimate, free software for various malicious activities, such as exploring networks, accessing remotely, tunnelling, stealing credentials and taking files.

Unfortunately, conventional endpoint security solutions often lack the behavior analytics capabilities necessary to detect subtle indicators of compromise such as unusual logins, privilege escalation, program execution or other risky activities. As such, by utilizing the tools already employed by organizations, attackers can acquire admin privileges more easily, while evading detection. Organizations must be aware of these evolving techniques and adapt their defense strategies accordingly.

Andy Thompson

Offensive Research Evangelist, CyberArk Labs.

Six tactics employed throughout the ransomware attack lifecycle

Ransomware actors increasingly use legitimate software to their advantage at various stages of the attack lifecycle. They employ many different tactics, techniques and procedures to advance their missions, including the examples highlighted below.

Initial Infection: Securing initial access presents a diverse range of options for attackers. Some opt for exploiting vulnerabilities, utilising common vulnerability exploitations (CVEs) against susceptible targets. Others resort to stealing, forging, altering or manipulating cookies from users' web sessions. Alternatively, they employ phishing emails to deceive users into downloading genuine applications.

Persistence: Attackers leverage legitimate software to establish backdoors, ensuring persistence and command and control. This involves manipulating these tools to bypass Multi-Factor Authentication (MFA), modify, or disable existing security tools to avoid detection, from terminating endpoint detection and response (EDR)- protected processes to modifying/deleting registry keys or configuration measures. In instances like the RMM ransomware attacks mentioned earlier, threat actors utilized portable executables within the software to gain access without requiring local admin privileges or a complete software installation.

Many default software programs on a machine become potential targets for hijacking, guaranteeing the execution of malicious programs. Application features such as task schedulers are also abused for maintaining persistence, launching programs or scripts at specified times.

Privilege Escalation: User Account Control (UAC) protects Windows operating systems, prompting admin credentials for any attempt to run a program as an administrator. While most ransomware today doesn't demand admin rights, attackers often focus on bypassing UAC to elevate access and establish persistence.

Lateral Movement: Certain tools inadvertently facilitate malicious privilege escalation and lateral movement. Examples include AdFind, a command-line query tool for Active Directory, and AdvancedRun, enabling privilege escalation by altering settings before running software. Additionally, various Windows features functioning as remote procedural call (RPC) servers become vulnerable points for lateral movement when abused by attackers.

Encryption: Encryption serves both as a protective tool and a weapon. Encryption tools hide data from unauthorized users, but attackers can also weaponize them as ransomware. Legitimate access to encrypted data can be compromised to bypass encryption controls.

Data Exfiltration: Ransomware operators employing double-extortion techniques often utilize legitimate backup software tools or similar programs for data exfiltration. Recent research by CyberArk Labs noted the use of Discord, a popular collaboration app, for data exfiltration via webhooks.

Malicious actors are also adapting their tools to target multiple platforms and operating systems. For instance, they employ the cross-platform language Rust to target Linux. macOS is not exempt, with attackers exploiting Find My iPhone to infect Apple devices.

Enhancing defense strategies to block ransomware

As ransomware actors are increasingly exploiting legitimate software to perpetrate their attacks, organizations must remain vigilant and proactive in strengthening their identity management security strategies. In particular, embracing an identity-centric defense-in-depth approach is key. This approach includes important security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR) email security and patch management – putting least privilege and behavior analytics at the core of the defense strategy. 

So, by recognizing and addressing the tactics employed throughout the ransomware attack lifecycle – from initial infection to data exfiltration – companies can bolster their defenses, enhance identity security, mitigate the risk posed by cyber criminals, and safeguard the business against the ever-evolving threat of ransomware.

We've listed the best online cybersecurity courses.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS

Andy Thompson, Offensive Research Evangelist, CyberArk Labs.